73 Microsoft Packages Weaponized to Deploy Password Stealer Malware
Cybersecurity NewsArchived Jun 10, 2026✓ Full text saved
Seventy-three Microsoft repositories on GitHub were suddenly disabled on June 8, 2026, after a self-replicating worm infected a large portion of the company’s Azure Functions ecosystem. The entire sweep happened in just 105 seconds, with all 73 repositories flagged and shut down between 19:00 and 19:02 UTC. What looked like a routine enforcement action was […] The post 73 Microsoft Packages Weaponized to Deploy Password Stealer Malware appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
73 Microsoft Packages Weaponized to Deploy Password Stealer Malware
By Tushar Subhra Dutta
June 10, 2026
Seventy-three Microsoft repositories on GitHub were suddenly disabled on June 8, 2026, after a self-replicating worm infected a large portion of the company’s Azure Functions ecosystem.
The entire sweep happened in just 105 seconds, with all 73 repositories flagged and shut down between 19:00 and 19:02 UTC. What looked like a routine enforcement action was actually the visible tail end of a quiet, months-long intrusion.
The malware is called Miasma, also tracked under the name “The Spring Blight.” It is a worm that spreads across GitHub repositories by compromising supply-chain packages, stealing developer credentials, and replicating itself into new projects.
The attack touched four of Microsoft’s core GitHub organizations, namely Azure, Azure-Samples, microsoft, and MicrosoftDocs, taking out repositories that millions of developers rely on every single day.
Analysts at OpenSource Malware said in a report shared with Cyber SecurityNews (CSN) that they identified the intrusion and published a detailed breakdown of how the worm moved through Microsoft’s infrastructure.
Their research connected the June 8 incident to a broader campaign involving the Shai-Hulud toolkit, which had previously targeted AWS and GitHub environments. This time, the attackers upgraded their reach to go after Azure credentials specifically.
The attack also triggered a cascading failure for developers worldwide. When GitHub disabled Azure/functions-action, every CI/CD pipeline referencing Azure/functions-action@v1 stopped working immediately.
Microsoft’s initial statement described it as an “internal management issue,” only to revise that explanation twelve minutes later once the full scale of the incident became clear.
The compromise was wide enough to shake confidence in Microsoft’s own supply chain. A credential-harvesting worm sitting at the center of the Azure Functions ecosystem is not a minor event, and the speed at which it spread showed the attackers had carefully planned the entire operation.
73 Microsoft Packages Weaponized
Miasma’s entry point was the durabletask PyPI package, which sits at the core of Microsoft’s Durable Task framework used across Node.js, Python, Java, Go, JavaScript, MSSQL, Netherite, and protobuf implementations.
The attackers pushed three malicious versions, 1.5.1, 1.5.2, and 1.5.3, to PyPI inside a 38-minute window. None of the uploads had matching tags, releases, or CI runs in the GitHub repository, a red flag that something was wrong.
Those versions quietly pulled around 31,000 downloads before anyone caught them. The malicious package contained preinstall hooks that invoked Bun against a non-robust index.js loader, which is now considered Miasma’s known execution signature.
Once inside a developer’s environment, the worm stole GitHub Actions secrets and shipped them to an external service called TempGPT.
Beyond GitHub credentials, Miasma specifically targeted Azure OIDC authentication hashes and managed-identity tokens.
These allow cloud applications to authenticate with Azure services without storing passwords directly. Stealing them gives an attacker quiet, persistent access to cloud infrastructure that is very hard to detect and revoke.
Credential Theft and Worm-Like Propagation Across Azure
Once the worm harvested credentials, it did not stop there. Miasma created public GitHub repositories in the victim’s own account, describing them as “Miasma: The Spring Blight,” and committed the stolen secrets into those repositories as JSON.
That mass-creation activity triggered GitHub’s automated terms-of-service enforcement, causing 73 repos to go dark in under two minutes.
Earlier Shai-Hulud strains had focused on AWS access keys and GitHub personal tokens. This variant extended that playbook by reaching into Azure OIDC and managed-identity layers, representing a meaningful escalation in scope and ambition.
Security researchers strongly recommend that teams using Azure Functions pipelines pin their actions to a full commit SHA rather than a floating tag like @v1. Rotating Azure OIDC tokens, managed-identity credentials, and any npm or PyPI tokens reachable from affected workflows is also a priority.
Teams should check package install hooks for preinstall scripts invoking Bun against unfamiliar index.js loaders. Until Azure/functions-action is fully restored, Microsoft’s recommended alternatives include Azure CLI, Azure DevOps Pipelines, VS Code deployment, and Zip Deploy.
Any organization using these repositories should audit their own GitHub orgs for unexplained public repos referencing the Spring Blight campaign.
Type Indicator Description
PyPI Package Version durabletask 1.5.1 Malicious version of Microsoft’s Durable Task PyPI package pushed by attackers
PyPI Package Version durabletask 1.5.2 Malicious version of Microsoft’s Durable Task PyPI package pushed by attackers
PyPI Package Version durabletask 1.5.3 Malicious version of Microsoft’s Durable Task PyPI package pushed by attackers
External Service TempGPT External service used by Miasma to exfiltrate stolen GitHub Actions secrets
File Name index.js Non-robust loader targeted by Miasma’s preinstall hook execution signature
GitHub Action Tag Azure/functions-action@v1 Floating tag leveraged by the worm; pinning to full SHA is recommended
Malware Name Miasma / “The Spring Blight” Self-replicating worm responsible for compromising 73 Microsoft GitHub repositories
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
Dashlane Details How Hackers Managed to Download Encrypted Password Vaults
Hackers Using AI Tools to Automate Active Directory Attacks and EDR Evasion
Comodo Internet Security 0-Day Vulnerability Lets Attacker Crash the User’s Windows System
Critical Veeam Vulnerability Allows RCE Attacks on Backup Servers
Hackers Use Malicious Ads to Deliver FlutterShell Backdoor on macOS Systems
Latest News
Cyber Security News
Hackers Abuse TikTok and Instagram Reels to Spread Malware via Fake Free Software Tutorials
Cyber Security
Windows BitLocker 0-Day Vulnerability Allows Attackers to Bypass Security Feature
Cyber Security
Anthropic Released Claude Fable 5, the First Model in Mythos Class
Cyber Security
New Windows Defender 0-Day Exploit “RoguePlanet” Grants SYSTEM Access to Attackers
Cyber Security News
New MagicAd Android Malware Flood Device With Ads Bypassing Restrictions